Handle loadbalancer SGs are created when sg_mode is create

This patch set ensures the loadbalancer SG and its rules are properly created when the sg_mode is set to create. In addition, this patch makes posible to enforce network policies for svc when sg_mode is 'create' and the octavia driver is 'ovn' Partially Implements: blueprint k8s-network-policies Closes-Bug: 1809451 Change-Id: I776e7d82bb0b3ffed45f084519a3c3180d5e915c
2018-12-21 13:20:19 +01:00 · 2018-12-21 13:20:19 +01:00 · c0e1e45891
parent 064b734679
commit c0e1e45891
1 changed files with 41 additions and 1 deletions
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@ -164,6 +164,41 @@ class LBaaSv2Driver(base.LBaaSDriver):
                    LOG.exception('Failed when creating security group rule '
                                  'for listener %s.', listener.name)

+    def _create_lb_security_group_rule(self, loadbalancer, listener):
+        neutron = clients.get_neutron_client()
+        sg_id = self._find_listeners_sg(loadbalancer)
+        # if an SG for the loadbalancer has not being created, create one
+        if not sg_id:
+            sg = neutron.create_security_group({
+                'security_group': {
+                    'name': loadbalancer.name,
+                    'project_id': loadbalancer.project_id,
+                    },
+                })
+            sg_id = sg['security_group']['id']
+            loadbalancer.security_groups.append(sg_id)
+            vip_port = self._get_vip_port(loadbalancer)
+            neutron.update_port(
+                vip_port.get('id'),
+                {'port': {
+                    'security_groups': loadbalancer.security_groups}})
+
+        try:
+            neutron.create_security_group_rule({
+                'security_group_rule': {
+                    'direction': 'ingress',
+                    'port_range_min': listener.port,
+                    'port_range_max': listener.port,
+                    'protocol': listener.protocol,
+                    'security_group_id': sg_id,
+                    'description': listener.name,
+                },
+            })
+        except n_exc.NeutronClientException as ex:
+            if ex.status_code != requests.codes.conflict:
+                LOG.exception('Failed when creating security group rule '
+                              'for listener %s.', listener.name)
+
    def _extend_lb_security_group_rules(self, loadbalancer, listener):
        neutron = clients.get_neutron_client()

@ -249,10 +284,15 @@ class LBaaSv2Driver(base.LBaaSDriver):
        namespace_isolation = (
            'namespace' in CONF.kubernetes.enabled_handlers and
            CONF.kubernetes.service_security_groups_driver == 'namespace')
+        create_sg = CONF.octavia_defaults.sg_mode == 'create'
+
        if loadbalancer.provider == const.NEUTRON_LBAAS_HAPROXY_PROVIDER:
            self._ensure_lb_security_group_rule(loadbalancer, listener)
-        elif service_type == 'ClusterIP' and namespace_isolation:
+        elif namespace_isolation and (service_type == 'ClusterIP' or
+                                      create_sg):
            self._extend_lb_security_group_rules(loadbalancer, listener)
+        elif create_sg:
+            self._create_lb_security_group_rule(loadbalancer, listener)

    def ensure_listener(self, loadbalancer, protocol, port,
                        service_type='ClusterIP'):